An OAuth 2 authentication token can contain two authentications: one for the client and one for the user. Since some
OAuth authorization grants don't require user authentication, the user authentication may be null.